New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow everyone to use SFTP and restrict SSH port forwarding #6059
Comments
Fix SSH login failure with conflicting group permissions NethServer/dev#6058 Allow everyone to use SFTP and restrict SSH port forwarding NethServer/dev#6059
UI allow Everyone to SSH NethServer/dev#6059
QA Install nethserver-cockpit and nethserver-openssh from testing then you will see a new Everyone widget to delegate the access, to ssh and/or sftp. You need to demonstrate that if Everyone is granted to ssh and/or sftp, a user can access even if its group is not listed, if Everyone is |
|
VERIFIED ok - ssh ok - sftp-only, no port forwarding:
|
With the new policy we allow a group to OpenSSH, and we decide who is able to use either
SSH and SFTP
oronly SFTP
, It could be interesting to delegate a group matching everybody on the server. This will ease the authorization process if we want to delegate all users of the account provider.From a security perspective, we could restrict also the TCP Forwarding for the sftp users, This is a hole in the security
Proposed solution
Disables all forwarding features, including X11, ssh-agent, TCP and Stream Local by adding the directive
DisableForwarding
Match by the API the
domain users@domain.com
for AD or thelocals@nethservertest.org
for openldap and allow to use it inside the group dropdownthank @DavidePrincipi
The text was updated successfully, but these errors were encountered: